Cisco Virtual Office-Deploying IP Security High Availability

Available Languages

Download Options

This white paper provides detailed design and implementation information for deploying IP Security (IPsec) High Availability (HA) with Cisco® Virtual Office. Please refer to the Cisco Virtual Office overview (found at http://www.cisco.com/go/cvo) for further information about the solution, its architecture, and all of its components.

Introduction

IPSec HA provides an infrastructure for reliable and secure networks, with the goal of providing transparent availability of VPN gateways (such as Cisco IOS
® Software based routers). This feature works well for all IPSec-based networks. In the Cisco Virtual Office solution, IPsec HA can be used to provide redundancy-for example, stateful failover and rollback of the gateways-to provide uninterrupted management connectivity to the spokes. For more details on deploying Cisco Virtual Office, please refer to the links provided in the references section.

Topology

In the Cisco Virtual Office deployment, IPsec HA can be incorporated into the management gateways. The topology for the deployment is given in the Cisco Virtual Office overview at
http://www.cisco.com/go/cvo.

Redundant management gateways can be deployed using IPsec HA as shown in Figure 1.

Note: Both active and standby gateway routers should be the same platform type and have the same encryption card.

The Hot Standby Router Protocol (HSRP) is used to achieve redundancy between the management gateways. The spoke views the virtual IP address of the HSRP as the IP address of the management gateway. This setup allows any failover on management gateways to be transparent to the spoke. Once an IPsec session is established with the active router (management gateway), the corresponding session's Internet Key Exchange (IKE) security associations (SAs) and IPsec SAs are sent to the standby router, using interprocess communication (IPC), and both the active and standby routers maintain the session information of the spoke. When the active management gateway goes down, the standby gateway takes over as active and handles the IPsec sessions transparently. This avoids the need to reestablish the session.

Configuration

Figure 2 shows the short version of the topology to map the IP addressing with the configuration examples given in the sections that follow.

Figure 2. Topology for Configuration Examples

The configuration examples provided here use public key infrastructure (PKI) so spokes connected using PKI will failover automatically.

The same deployment scenarion will also work with pre-shared keys.

Configuration on Management Gateway 1

! Configures redundancy and enters inter-device configuration mode.

redundancy inter-device

scheme standby ha-in

!

!

! The commands below configure interprocess communication (IPC) between the two gateways.

To help troubleshoot possible interdevice configuration problems, issue the following command.

debug redundancy Debug Redundancy Facility options

To help troubleshoot possible IPSec HA-related problems, issue any of the following commands.

debug crypto ha Debug Crypto High Availability

(generic) debug

debug crypto ipsec ha detail Debug IPsec High Availability detailed

debug crypto ipsec ha update Debug IPsec High Availability updates

debug crypto isakmp ha Debug ISAKMP High Availability

The following show and clear commands display the state of the devices and the state of crypto sessions.

show redundancy [states | inter-device] Show Redundancy Facility

states or interdevice

information, respectively

show standby Show HSRP information

show crypto isakmp sa [active | standby] Show HA-enabled ISAKMP SAs

in the active or standby

state, respectively

show crypto ipsec sa [active | standby] Show HA-enabled IPSec SAs

in the active or standby

state, respectively

show crypto session [active | standby] Show HA-enabled crypto

sessions in the active or

standby state,

respectively

show crypto ha Show Crypto High

Availability information

clear crypto isakmp [active | standby] Clear all HA-enabled IKE

SAs in active or standby

state, respectively

clear crypto sa [active | standby] Clear all HA-enabled IPSec

SAs in active or standby

state, respectively

clear crypto session [active | standby] Clear HA-enabled crypto

sessions in the active or

standby state,

respectively

Deployment Considerations

• IPsec HA is supported only on limited platforms. The platform list includes the Cisco 7206 and 7301 Routers, the Cisco 3800 Integrated Services Router, and the Cisco 6500 Catalyst Switch.

• When a router is first configured for interdevice redundancy, the router has to be reloaded for the configuration to take effect.

• When one of the interfaces of an active router goes down, the standby takes over as active and handles all the operations. However, the previous active undergoes a reload and eventually stabilizes as standby (provided the priority of the router is at or below the current active router).

• It is mandatory that the routers be connected via a hub or a switch. In the event that routers are connected back to back, note that anytime the active router reloads, the standby also reloads. This defeats the purpose of IPsec HA.